K8s: restructure REC cert page for clarity#3325
Conversation
🛡️ Jit Security Scan Results
✅ No security findings were detected in this PR
Security scan by Jit
|
|
|
||
| Rotating any of these certificates does not restart REC pods. | ||
|
|
||
| ### Step 1: Create a secret for the certificate |
There was a problem hiding this comment.
We now support several possible secret key names to specify the cert/privatekey. This is mentioned in the API reference, but could be useful in here too.
The supported keys ~are:
- Certificate:
certificate,cert, ortls.crt - Private key:
keyortls.key
tls.crt and tls.key are the ones used with TLS-type secrets - as created by cert-manager.
certificate, cert and key are the ones we previously supported.
I believe we now support any of these, with any of the certificate secrets (@heinrich-redislabs can you please confirm this too?).
Aside from that, there's the (now optional) name key.
There was a problem hiding this comment.
Yes that is correct.
The API docs clearly indicates for every secret which field names are supported.
| --from-file=key=</PATH/TO/key.pem> \ | ||
| --from-literal=name=<proxy | api | cm | syncer | metrics_exporter | cp_internode_encryption | dp_internode_encryption> | ||
| ``` | ||
| This is the Kubernetes-native method. The operator detects changes to a referenced secret and rotates the certificate without manual intervention. You can create the secret manually with `kubectl`, or have [cert-manager]({{< relref "/operate/kubernetes/security/cert-manager" >}}) issue and renew it automatically. |
There was a problem hiding this comment.
Some users use lubectl others oc, depending on the platform. I would rephrase it as:
You can create the secrete manually, or have ...
| | Field | Accepted secret keys | | ||
| | ----------- | ------------------------------------- | | ||
| | Certificate | `cert`, `certificate`, or `tls.crt` | | ||
| | Private key | `key` or `tls.key` | |
heinrich-redislabs
left a comment
heinrich-redislabs
left a comment
There was a problem hiding this comment.
Added some comments, but looks good overall.
zcahana
left a comment
zcahana
left a comment
There was a problem hiding this comment.
LGTM, thanks @kaitlynmichael!
4 participants
Note
Low Risk
Documentation-only restructure that changes guidance and examples but no runtime code; risk is limited to potential confusion if instructions are inaccurate.
Overview
Clarifies REC certificate replacement by reframing the page around two explicit workflows: operator-managed rotation via
spec.certificates(recommended) vs direct Redis Software REST API/rladminupdates (with a warning about operator overwrites).Expands the operator-managed path with a supported-certificate mapping table, updated YAML example (adds LDAP/SSO fields), secret creation details (accepted key names,
kubernetes.io/tlscompatibility, and a pre-8.0.18 note), and an explicit rotation verification step viaGET /v1/cluster/certificates.Reviewed by Cursor Bugbot for commit f2ae47b. Bugbot is set up for automated code reviews on this repo. Configure here.